suricata
decode-erspan.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Decodes ERSPAN Types I and II
31  */
32 
33 #include "suricata-common.h"
34 #include "suricata.h"
35 #include "decode.h"
36 #include "decode-events.h"
37 #include "decode-erspan.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 /**
43  * \brief Functions to decode ERSPAN Type I and II packets
44  */
45 
46 /**
47  * \brief ERSPAN Type I
48  */
49 int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
50  const uint8_t *pkt, uint32_t len)
51 {
52  StatsIncr(tv, dtv->counter_erspan);
53 
54  return DecodeEthernet(tv, dtv, p, pkt, len);
55 }
56 
57 /**
58  * \brief ERSPAN Type II
59  */
60 int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
61 {
62  StatsIncr(tv, dtv->counter_erspan);
63 
64  if (len < sizeof(ErspanHdr)) {
65  ENGINE_SET_EVENT(p,ERSPAN_HEADER_TOO_SMALL);
66  return TM_ECODE_FAILED;
67  }
68 
69  const ErspanHdr *ehdr = (const ErspanHdr *)pkt;
70  uint16_t version = SCNtohs(ehdr->ver_vlan) >> 12;
71  uint16_t vlan_id = SCNtohs(ehdr->ver_vlan) & 0x0fff;
72 
73  SCLogDebug("ERSPAN: version %u vlan %u", version, vlan_id);
74 
75  /* only v1 is tested at this time */
76  if (version != 1) {
77  ENGINE_SET_EVENT(p,ERSPAN_UNSUPPORTED_VERSION);
78  return TM_ECODE_FAILED;
79  }
80 
81  if (vlan_id > 0) {
82  if (p->vlan_idx >= 2) {
83  ENGINE_SET_EVENT(p,ERSPAN_TOO_MANY_VLAN_LAYERS);
84  return TM_ECODE_FAILED;
85  }
86  p->vlan_id[p->vlan_idx] = vlan_id;
87  p->vlan_idx++;
88  }
89 
90  return DecodeEthernet(tv, dtv, p, pkt + sizeof(ErspanHdr), len - sizeof(ErspanHdr));
91 }
92 
93 /**
94  * @}
95  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:976
len
uint8_t len
Definition: app-layer-dnp3.h:4
decode-erspan.h
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:168
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type II.
Definition: decode-erspan.c:60
Packet_::vlan_id
uint16_t vlan_id[2]
Definition: decode.h:436
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:437
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:658
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:79
ERSPAN_UNSUPPORTED_VERSION
@ ERSPAN_UNSUPPORTED_VERSION
Definition: decode-events.h:188
util-unittest.h
decode.h
util-debug.h
DecodeERSPANTypeI
int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Functions to decode ERSPAN Type I and II packets.
Definition: decode-erspan.c:49
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
ERSPAN_HEADER_TOO_SMALL
@ ERSPAN_HEADER_TOO_SMALL
Definition: decode-events.h:187
Packet_
Definition: decode.h:408
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:375
suricata-common.h
version
uint8_t version
Definition: decode-gre.h:3
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:622
suricata.h
ERSPAN_TOO_MANY_VLAN_LAYERS
@ ERSPAN_TOO_MANY_VLAN_LAYERS
Definition: decode-events.h:189
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:41